IMHO, if you're a lazy learning, this isn't for you. However, for the rest of us, this is the best bang for the buck! Loved meeting people, getting hands-on, asking questions of the instructors, other students, and  the Lab Assistants. It's hard work; no joking. But if you're the type to squeeze what you can from it, this is what you were looking for. I even did a discount certification exam at .conf! ... View more

This is intimidating for first-timers. I regretfully was intimidated the first time and walked out. Overcome your fear and do it! It's like drinking from a firehose and you'll never have more fun doing it - because it isn't actual work! Shout out to the teams who took me on as a single player! Was great when I didn't have a team of my own. BOTS has been part of my experience 4 times after that walk-out, and I look forward to it every .conf I go to.  ... View more

IMHO: This is cooler than they say it is. I participated in this at a prior .conf. While not all of the innovations struck chords with me, two did in a large way. We were able to provide feedback and I am proud that our feedback wasn't used in one (they eventually went to something way better), and the other one we were influential in, and were able to beta test when it was ready. I'm glad I could swing the time in my agenda that year. Hope you have a similar experience! ... View more

I've attended 4 physical and 2 virtual .conf's, and have upped my game as I took more advantage of everything .conf and the community has to offer. Even co-presented at .conf19; a solution that is still in use! However, due to financial pressures, I will not likely be there this year. Wishing everyone a great .conf! ... View more

I've learned so much and had fun along the way. The best of both worlds! Bring foam earplugs everywhere you go, it makes things much nicer for the loud events like the keynote openers, the search party, etc. Bring your curiosity and talk to a LOT of people. The biggest Splunk nerds taught me the "hallway conf" is sometimes more valuable than the sessions. Make time to mix it with the Splunk community at large - even in the hallways! In addition to the Fez's look for capes, scarves, and at people's badges... these are other ways to locate Splunk Champions, returning .conf Alumni, and maybe more details. These are not Splunk employees, but part of the community who enjoy helping others! If you're in Splunk University, it's a great place to talk to people too. Yes you're there to learn, but talk it up before, after and on your breaks. I met some great people without really trying while I was in Splunk University! Keara's talking points above are a great start! Do everything, even if you feel it's not a fit. You're there to grow and learn, right? Make the most of your .conf time, it goes by fast! It's been said before, but it bears repeating. Join the community in slack and here at community.splunk.com! But don't just join, contribute! Being a regular in these places will elevate your game. In the community and at .conf, don't be insecure. We all start somewhere. I've found the culture in our Splunk community to be quite welcoming!  Enjoy and Keep Splunking! ... View more

@kumaranv  I don't see a point to that, and would say don't do that. However, assuming you have reasons I can't think of, that's not going to be possible. The best you could do is to use an HTML panel with a hyperlink to the specific docs you were looking to embed. ... View more

@maiks1When I saw another fields values show up in a given field, a sysadmin had changed the order of the logs. This can show up as a new order to the same number of fields, introduction of a new field in the log, removal of a field, which changes the order of later fields in the log, etc.. Sourcetype configuration wasn't updated, so it keeps parsing per its definition. Lesson: walk through the whole thing slowly, starting at the beginning. Once you identified what changed, then you can work on why it changed. ... View more

1) The limits.conf file is configured by your administrator: https://docs.splunk.com/Documentation/Splunk/9.2.0/admin/limitsconf#.5Brex.5D 2) When I search for similar questions to yours. I find some possible answers to your problem: https://community.splunk.com/t5/Splunk-Search/Rex-has-exceeded-configured-match-limit/m-p/391837 https://community.splunk.com/t5/Splunk-Search/Regex-error-exceeded-configured-match-limit/m-p/469890 https://community.splunk.com/t5/Splunk-Search/Error-has-exceeded-configured-match-limit/m-p/539725 3) You'll notice in these other answers, that the questions supply a log sample and their query to show what the rex is working against. Only do this if the event information is not sensitive. But without that information, it'll be difficult for the community to help you. That's why I'm supplying you with some other information too. ... View more

Note: 1) The spath command can be expensive, especially against large data sets 2) If all you need is to parse a string and get the values, consider regular expressions for json data also. In the rex below, I named the a|b|c|d field "foo", in case it had value later on. If not, it doesn't need to be used | makeresults ```creating dummy data based on the original question``` | eval json_data="{data: {a : { x: {value_x} y: {value_y}}} }" | append [ makeresults | eval json_data="{data: {b : { x: {value_x} y: {value_y}}} }" ] | append [ makeresults | eval json_data="{data: {c : { x: {value_x} y: {value_y}}} }" ] | append [ makeresults | eval json_data="{data: {d : { x: {value_x} y: {value_y}}} }" ] ```ending the creation of dummy data``` | rex field=json_data "{(?<foo>\w+)\s:\s{\s\sx:\s{(?<x_value>.+)}\s\sy:\s{(?<y_value>.+)}}}" ```parse strings using a regular expression``` | table json_data x_value y_value ```display results of regular expression in a table``` Results in:   ... View more

@shocko  I love the question. The answers are complicated.  I'll respond below for Simple XML Dashboards. For Dashboard Studio, please submit a different and detailed question to the Splunk Community. 1) themes out of the box are light and dark. You can look through the docs on how to create your own, if you wish: https://dev.splunk.com/enterprise/docs/developapps/createapps/buildapps/adduithemes/ 2) If you search your Splunk filesystem for bootstrap-dark.css, you'll find the file that provides dark theme. 2.5) If you don't have access to the filesystem, you can use your browser dev tools to get the URL to bootstrap-dark.css. 2.7) Be warned. It's a BIG file. Formatted pretty, it comes to >7300 lines 3) You're better off to change the font, IMHO, to use CSS overrides. To read more: https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/UseCSS https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/PanelreferenceforSimplifiedXML Finally, note in that last example, you can include css style inside an HTML panel within a dashboard. Searching through this larger Splunk Answers Community for "html css style dashboard panel", should yield you plenty of examples. Here's a great one from my friend Niket to get you started with nearly ready copy/paste code: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-add-style-to-panel-titles-in-my-dashboard/m-p/405736   ... View more

@niketn  I miss you, my friend. I remember this started a great bunch of conversations between us that included a hug at .conf19. I want to give a shout out to @kaeleyt for providing my go-to solution for this problem: https://community.splunk.com/t5/Splunk-Search/How-to-add-colors-to-a-table-for-dynamic-columns/m-p/411419 After looking further, I found this line in the documentation, https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsXML: "If you do not specify a field, the format rule is applied to the entire table. " So the magic is not specifying a field in the line:   <format type="color">   I also want to provide, like Niket taught me by example, to include a run-anywhere example implementing the solution.   <dashboard version="1.1"> <label>Erics Column Test</label> <row> <panel> <title>Data Example</title> <table> <search> <query>index=_internal sourcetype=splunkd log_level!=INFO earliest=-7m@m latest=now | eval Time=strftime(_time,"%Y-%m-%d %H:%M") | chart count as Error by component Time</query> <earliest>-1h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color"> <colorPalette type="list">[#118832,#1182F3,#CBA700,#D94E17,#D41F1F]</colorPalette> <scale type="threshold">0,30,70,100</scale> </format> </table> </panel> </row> </dashboard>     ... View more

@sjringo  You're so close... you need a "BY _time" on your stats line index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished" earliest=-0month@month latest=now | bucket _time span=day | stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount count(eval(searchmatch("File sent to MFS"))) as MFSCount count(eval(searchmatch("File download sent to user"))) as DWNCount count(eval(searchmatch("HTTP upload finished"))) as HTTPCount BY _time ... View more

HI@arist0telis ! A percentage is number of escalations out of the total established, times 100. Or with more math notation: (BotEscalated/ChatbotEstablished) x 100 = Percentage Escalated So we convert that to eval statements. I haven't tested it below, but it should be pretty close. index=sfdc sourcetype=sfdc:conversationentry EntryType IN ("ChatbotEstablished", "BotEscalated") | stats count(eval(EntryType=='BotEscalated')) as "BEcount", count(eval(EntryType=='ChatbotEstablished')) as "CEcount" ``` get the counts``` | eval mypercentage = round(('BEcount'/'CEcount')*100, 2) ```get the percentage and round to 2 places``` ... View more

@av_  Thank you for the additional detail. Makes sense. I would handle that as two separate jobs. I would say this is the solution and can be cleanly executed.   ... View more

Hi @av_ ! Your expression looks correct to account for the 8 hour difference, assuming the cron job is executing in your timezone. 21:00 Sunday GMT would be 5:00 Monday BJT. So if that is not working as expected, then the cron job may not be running out of your GMT timezone. If it's running out of the BJT timezone, then the cron needs to be re-written to: */5 5-22 * * 1-5 Did you test that? What was the result? If that also isn't working, then more details are needed for people to figure out why the cron is executing in neither timezone ... View more

Hi @av_ ! To double-check cron expressions, I may resort to using a tool like crontab guru. When I put the expression you provided in there, it suggests the 0-5 part of the cron expression includes Sunday. https://crontab.guru/#*/5_21-23,0-13_*_*_0-5 So if we change that part from 0-5 to 1-5, it appears that may work for you. Good luck! If you find this hopeful please give it a thumbs up! ... View more

Hi @av_ ! There's a tool some of us use to provide a gut-check, crontab guru (not affiliated in any way with it - just a user),  which I used on the cron you provided: https://crontab.guru/#*/5_21-23,0-13_*_*_0-5 The tool's assessment, is the cron runs on Sundays. If we breakdown the cron, the last part (0-5) sets the days of the week. So it we try changing that to 1-5, it appears it may work for you. */5 21-23,0-13 * * 1-5 There are other tools out there. There's nothing magical about what I used, but I like it for people who are unfamiliar with cron. Good luck! If this helped you, please provide it a thumbs up. ... View more

@geofrey1  Welcome to the Splunk Community! You mean after people log in, the page that loads is not the same for everyone? That's correct. Each person can set their own preference. Once logged in, click your username, select preferences, and select your default application. Each default application, can also have a default page, but you can't select that, that's in the app's configuration set by the admins. ... View more

Hi @kundanti! Here's some helpful links to get you started on your journey. Once you have attempted to solve the problem, if you have a very specific issue, open a new question here. You'll need a search specific to your environment and your permissions that can access the information: https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-license-usage-for-a-particular/m-p/359652 Then you'll need to figure out what "normal" for your org looks like. Then you'll need to alert if below "normal". https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32474 Good luck! ... View more

@Sharzi  There's no silver bullet to these types of things. It's a lot of trial and error. @VatsalJagani offered some good tips. We also found sometimes using the AUTO window when scheduling (with the cron), have some queries send to summary index once a week (instead of twice a day), making sure we look at conflicting schedules, s not just our jobs in our app, but all jobs across all apps, etc. After support tickets, with band-aids like this, things became worse. We diagnosed the hardware and found contention on some KPI's. We upgraded the hardware and the issues went away. Good luck! ... View more

@sovereign-03  You provided the search you're running, but what's the problem? You mention unbalanced quotes in your title, but there's no quotes in your search. Is it that the search won't run, or you aren't getting the results you expected (what are the results you're getting?), or something else? More details may lead to someone being able to help out. ... View more

@Jdtoney  My mind went to regular expressions, and I went to sanity check my thoughts against the following articles: https://community.splunk.com/t5/Splunk-Search/Multi-Line-field-extraction/m-p/331355 https://community.splunk.com/t5/Splunk-Search/Multi-line-field-Extraction/m-p/73920 with one of them mentioning using the field extractor: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX Using what you provided, I was able to craft a regular expression that gets close to what you want as two fields, and then you can use an eval to glue the two fields together. YMMV, for what you want to capture and not, and based on your actual logs. Regular Expression: Message: Help\. Reason: (?<firstpart>.*)\n\n.*?@ 1 @ (?<secondpart>.*).$ In context: https://regex101.com/r/29jHcy/1 Good luck! If this was helpful at all, please consider giving some karma. ... View more

Congratulations to everyone in this Splunk MVP cohort! I am humbled and honored to have been selected for this amazing group! ... View more